MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive.

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC’s storage device. However, a sinister development has been spotted over the New Year with a new UEFI malware, detected by Kasperksy’s firmware scanner logs, that implants malicious code into the motherboard’s Serial Peripheral Interface (SPI) Flash. The security researchers have dubbed this flash-resident UEFI malware ‘MoonBounce’.

MoonBounce isn’t the first UEFI malware discovered in the wild that targets SPI flash. Kaspersky says that the likes of LoJax and MosaicRegressor came before it. However, MoonBounce shows “significant advancement, with a more complicated attack flow and greater technical sophistication.” It also seems to have infected a machine remotely.

MoonBounce is undeniably clever in the way it gets into a system and makes itself hard to detect and dispose of. “The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table,” explains Kaspersky on its SecureList blog. The hooks are then used to divert function calls to the malicious shellcode that the attackers have appended to the CORE_DXE image. This, in turn, “sets up additional hooks in subsequent components of the boot chain, namely the Windows loader,” said the security researchers. This allows the malware to be injected into an svchost.exe process when the computer boots into Windows.

Magic marker values replaced during execution within shellcodes in MoonBounce. (Image credit: Kaspersky Labs)

Transport Technology Company the Only Logged Attack so Far